A major vulnerability has been detected in one of the latest versions of Apache, version 2.4.49, that allows for remote code execution to take place. An update is now available to rid users of the vulnerability. Should your server be using Apache, check the version you have installed, and if found to be running on the vulnerable version, update to the latest version of 2.4.50 as soon as possible.
The bug, more specifically a remote code execution (RCE) bug, is circulating widely and has the ability to take over your entire server if not identified and removed. The bug affects not only public-facing web servers on Apache, but any software that has an HTTP interface that uses Apache as its built-in web server.
If you were slow to update and are currently running 2.4.48 or an earlier version instead of Apache 2.4.49, you’re one of the lucky ones! If not, read on to see how you can make the fix now.
What should you do to secure your servers?
Firstly check if you are currently using the vulnerable version of Apache Software. CENTOS (RHEL) Based systems must check httpd -V and UBUNTU (DEBAIN) Based systems must check: apachectl -v.
Secondly, review your network for all traditional and external visitors, as well as HTTP servers that hackers can use to make the most of an ongoing attack. If you are still unsure whether or not your software includes Apache, you can speak to your server provider who will be able to do the necessary checks for you.
If you did update to Apache 2.4.49 just under a month ago, it’s time to patch the bug and it’s a simple fix of upgrading to 2.4.50.
UPDATE: The patch is faulty, you will have to update again to secure your servers.
The vulnerability was given a score of 5.1 out of 10 in terms of the Common Vulnerability Scoring System (CVSS). But despite the high risk that hackers had easy access to sensitive information, Apache Software rolled the update out relatively quickly to mitigate this and potential data leaks.